PHP52 vulnerability
Xin LI
delphij at gmail.com
Thu Mar 3 20:52:26 UTC 2011
Hi,
On Thu, Mar 3, 2011 at 12:09 PM, Andrea Venturoli <ml at netfence.it> wrote:
> Hello.
>
> As you probably know, it looks like php52 is vulnerable:
>
> Affected package: php52-5.2.17
> Type of problem: php -- NULL byte poisoning.
> Reference:
> http://portaudit.FreeBSD.org/3761df02-0f9c-11e0-becc-0022156e8794.html
>
> Is there any news on the horizon?
I think PHP developers haven't get that patched for 5.2.x (yet), as
the branch is considered to be obsolete. We may have to patch the
port ourselves.
Note that FreeBSD PHP port comes with Suhosin by default, which
_could_ have mitigated the attack (disclaimer: I'm not very confident
that this solves all problems, though, as it requires a more through
code review).
Cheers,
--
Xin LI <delphij at delphij.net> http://www.delphij.net
More information about the freebsd-ports
mailing list